monorepo package dependencies are usable across packages, also allows use of phantom dependencies

[josefaidt]

What version of Bun is running?

0.7.3

What platform is your computer?

Darwin 22.5.0 arm64 arm

What steps can reproduce the bug?

1. clone this repo https://github.com/josefaidt/bun-monorepo-shared-packages-repro
2. run bun install
3. run bun run --cwd packages/package-a start
4. observe the instance of itty-router's Router is logged

What is the expected behavior?

bun is unable to resolve the dependency

What do you see instead?

I am able to use a dependency from package-b in package-a without declaring

Additional information

with pnpm npm packages will not be resolved if they are not declared as a dependency in the monorepo package

this is a mechanism to prevent the use of "phantom dependencies"

So let's consider why phantom dependencies are a problem. Imagine you depend on the parse-git package. parse-git depends on lodash, so since lodash is hoisted to the outermost node_modules, you can use lodash in your code without explicitly including it in your package.json. The problem arises the day the authors of parse-git decide that they no longer need lodash and remove the dependency ✂️ Now your code is going crash with a module not found error 💣 Even worse, if lodash is updated to a version with breaking changes, then your app may not crash, but suddenly start to misbehave in a difficult to debug manner.
https://www.coana.tech/post/a-quick-introduction-to-phantom-dependencies

this is also helpful when onboarding new developers to a project, as they will not need to decipher what dependency is installing the phantom dependency used in the project's code

---

for example, when installing with bun my project structure is:

├── bun.lockb
├── node_modules
│   ├── itty-router
│   │   ├── (lots of files)
│   ├── package-a -> ../packages/package-a
│   └── package-b -> ../packages/package-b
├── package.json
├── packages
│   ├── package-a
│   │   ├── package.json
│   │   └── start.ts
│   └── package-b
│       └── package.json
└── readme.md

however if I install using pnpm:

├── node_modules
│   ├── .modules.yaml
│   └── .pnpm
│       ├── itty-router@4.0.22
│       │   └── node_modules
│       │       └── itty-router
│       │           ├── (lots of files)
│       ├── lock.yaml
│       └── node_modules
│           └── itty-router -> ../itty-router@4.0.22/node_modules/itty-router
├── package.json
├── packages
│   ├── package-a
│   │   ├── package.json
│   │   └── start.ts
│   └── package-b
│       ├── node_modules
│       │   └── itty-router -> ../../../node_modules/.pnpm/itty-router@4.0.22/node_modules/itty-router
│       └── package.json
├── pnpm-lock.yaml
├── pnpm-workspace.yaml
└── readme.md

[evelant]

IMO it would be great if Bun defaulted to creating "safe" node_modules folders where only declared dependencies are resolvable like pnpm does. I don't see how flattening node_modules provides any useful benefit but it does introduce annoying and unnecessary problems.